diff options
| author | Daniil Baturin <daniil@vyos.io> | 2024-03-18 18:55:09 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-03-18 18:55:09 +0100 |
| commit | 8c52e7334ef5f92d48b4a6049ec42e8d84dfe673 (patch) | |
| tree | 1dc9c52b76d3511b24b8b0462a8d5327700d44a6 | |
| parent | 12b9c577330cf1e160e6ff780100876d6690a57b (diff) | |
| parent | e2df1f4929774792c1d4bfb78c2dfa5bdf7f0825 (diff) | |
| download | vyos-1x-8c52e7334ef5f92d48b4a6049ec42e8d84dfe673.tar.gz vyos-1x-8c52e7334ef5f92d48b4a6049ec42e8d84dfe673.zip | |
Merge pull request #3146 from nicolas-fort/T6136
T6136: add error checks when using dynamic firewall groups
| -rwxr-xr-x | src/conf_mode/firewall.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index 3c27655b0..810437dda 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -268,6 +268,18 @@ def verify_rule(firewall, rule_conf, ipv6): if 'port' in side_conf and dict_search_args(side_conf, 'group', 'port_group'): raise ConfigError(f'{side} port-group and port cannot both be defined') + if 'add_address_to_group' in rule_conf: + for type in ['destination_address', 'source_address']: + if type in rule_conf['add_address_to_group']: + if 'address_group' not in rule_conf['add_address_to_group'][type]: + raise ConfigError(f'Dynamic address group must be defined.') + else: + target = rule_conf['add_address_to_group'][type]['address_group'] + fwall_group = 'ipv6_address_group' if ipv6 else 'address_group' + group_obj = dict_search_args(firewall, 'group', 'dynamic_group', fwall_group, target) + if group_obj is None: + raise ConfigError(f'Invalid dynamic address group on firewall rule') + if 'log_options' in rule_conf: if 'log' not in rule_conf: raise ConfigError('log-options defined, but log is not enable') |